Attribute- Based Encryption for Circuits 
from Multilinear Maps 



Amit Sahai Brent Waters 



Abstract 

In this work, we provide the first construction of Attribute-Based Encryption (ABE) for gen- 
eral circuits. Our construction is based on the existence of multilinear maps. We prove selective 
security of our scheme in the standard model under the natural multilinear generalization of 
the BDDH assumption. Our scheme achieves both Key-Policy and Ciphertext-Policy variants 
of ABE. 
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1 Introduction 



In traditional public key encryption a sender will encrypt a message to a targeted individual recip- 
ient using the recipient's public key. However, in many applications one may want to have a more 
general way of expressing who should be able to view encrypted data. Sahai and Waters [SW05J 
introduced the notion of Attribute-Based Encryption (ABE). There are two variants of ABE: Key- 
Policy ABE and Ciphertext-Policy ABE [GPSW06]. (We will consider both these variants in this 
work.) In a Key- Policy ABE system, a ciphertext encrypting a message M is associated with an 
assignment x of boolean variables. A secret key SK is issued by an authority and is associated with 
a boolean function / chosen from some class of allowable functions T . A user with a secret key for 
/ can decrypt a ciphertext associated with x, if and only if f(x) = 1. 

Since the introduction of ABE there have been advances in multiple directions. These in- 
clude new proof techniques to achieve adaptive security |LOS + 10[ IQTlOt ILW12] . decentralizing 
trust among multiple authorities |Cha071 10009} iLWllj . and applications to outsourcing computa- 
tion |PRV12j . 

However, the central challenge of expanding the class of allowable boolean functions J- has 
been very resistant to attack. Viewed in terms of circuit classes, the work of Goyal et al [GPSW06] 
achieved the best result until now: their construction achieved security essentially for circuits in 
the complexity class NC 1 . This is the class of circuits with depth logn, or equivalently, the class 
of functions representable by polynomial-size boolean formulas. Achieving ABE for general circuits 
is arguably the central open direction in this aree0. 

Difficulties in achieving Circuit ABE and the Backtracking Attack. To understand why 
achieving ABE for general circuits has remained a difficult problem, it is instructive to examine 
the mechanisms of existing constructions based on bilinear maps. Intuitively, a bilinear map allows 
one to decrypt using groups elements as keys (or key components) as opposed to exponents. By 
handing out a secret key that consists of group elements an authority is able to computationally 
hide some secrets embedded in that key from the key holder herself. In contrast, if a secret key 
consists of exponents in Z p for a prime order group p, as in say an ElGamal type system, then the 
key holder or collusion of key holders can solve for these secrets using algebra. This computational 
hiding in bilinear map based systems allows an authority to personalize keys to a user and prevent 
collusion attacks, which are the central threat. 

Using GPSW [GPSW06] as a canonical example we illustrate some of the main principles of 
decryption. In their system, private keys consists of bilinear group elements for a group of prime 
order p and are associated with random values r y € Z p for each leaf node in the boolean formula 
/. A ciphertext encrypted to descriptor x has randomness s € Z p . The decryption algorithm 
begins by applying a pairing operation to each "satisfied" leaf node and obtains e(g,g) ryS for each 
satisfied node y. From this point onward decryption consists solely of finding if there is a linear 
combination (in the exponent) of the r y values that can lead to computing e(g, g) as which will 
be the "blinding factor" hiding the message M. (The variable e(g, g) a is defined in the public 
parameters.) The decryption algorithm should be able to find such a linear combination only if 
f(x) = 1. Of particular note is that once the e(g,g) ryS values are computed the pairing operation 

1 We note that if collusions between secret key holders are bounded by a publicly known polynomially-bounded 
number in advance, then even stronger results are known SS10, GVW12 . However, throughout this paper we will 
deal only with the original setting of ABE where unbounded collusions are allowed between adversarial users. 
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plays no further role in decryption. Indeed it cannot, since it is intuitively "used up" on the initial 
step. 

Let's now take a closer look at how GPSW structures the private keys given a boolean formula. 
Suppose in a boolean formula that there consisted an OR gate T that received inputs from gates 
A and B. Then the authority would associate gate T with a value and gates A, B with values 
r A = r B = r T to match the OR functionality. Now suppose that on a certain input assignment x 
that gate A evaluates to 1, but gate B evaluates to 0. The decryptor will then learn the "decryption 
value" e(g,g) srA for gate A and can interpolate up by simply by noting that e(g,g) ST ' T = e(g,g) srA . 
While this structure reflects an OR gate, it also has a critical side effect. The decryption algorithm 
also learns the decryption value e(g,g) STB for gate B even though gate B evaluates to on input 
x. We call such a discovery a backtracking attack. 

Note that boolean formulas are circuits with fanout one. If the fanout is one, then the back- 
tracking attack produces no ill effect since an attacker has nowhere else to go with this information 
that he has learned. However, suppose we wanted to extend this structure with circuits of fanout 
of two or more, and that gate B also fed into an AND gate R. In this case the backtracking attack 
would allow an attacker to act like B was satisfied in the formula even though it was not. This 
misrepresentation can then be propagated up a different path in the circuit due to the larger fanout. 
(Interestingly, this form of attack does not involve collusion with a second user.) 

We believe that such backtracking attacks are the principle reason that the functionality of 
existing ABE systems has been limited to circuits of fanout one. Furthermore, we conjecture that 
since the pairing operation is used up in the initial step, that there is no black-box way of realizing 
general ABE for circuits from bilienar maps. 

Our Results. We present a new methodology for constructing Attribute-Based Encryption sys- 
tems for circuits of arbitrary fanout. Our method is described using multilinear maps. Cryptog- 
raphy with multilinear maps was first postulated by Boneh and Silverberg where they discussed 
potential applications such as one round, re-way Diffie-Hellman key exchange. However, they also 
gave evidence that it might be difficult or not possible to find useful multilinear forms within 
the realm of algebraic geometry. For this reason there has existed a general reluctance among 
cryptographer to explore multilinear map constructions even though in some constructions such 
as the Boneh-Goh-Nissim [BGN05] slightly homomorphic encryption system, or the Boneh-Sahai- 
Waters [BSW06J Traitor Tracing scheme, there appears to exist direct generalizations of bilinear 
map solutions. 

Very recently, Garg, Gentry, and Halvei [GGH12] announced a surprising result. Using ideal 
lattices they produced a candidate mechanism that would approximate or be the moral equivalent 
of multilinear maps for many applications. Speculative applications include translations of existing 
bilinear map constructions and direct generalizations as well as future applications. While the 
development and cryptanalysis of their tools is at a nascent stage, we believe that their result 
opens an exciting opportunity to study new constructions using a multilinear map abstraction. 
The promise of these results is that such constructions can be brought over to their framework or 
a related future one. We believe that building ABE for circuits is one of the most exciting of these 
problems due to the challenges discussed above and that existing bilinear map constructions do not 
have a direct generalization. 

We construct an ABE system of the Key-Policy variety where ciphertext descriptors are an 
re-tuple x of boolean variables and keys are associated with boolean circuits of a max depth £, 
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where both I and n are polynomially bounded and determined at the time of system setup. Our 
main construction exposition is for circuits that are layered (where gates at depth j get inputs 
from gates at depth j — 1) and monotonic (consisting only of AND plus OR gates). Neither one of 
these impacts are general result as a generic circuit can be transformed into a layered one for the 
same function with a small amount of overhead. In addition, using DeMorgan's law one can build a 
general circuit from a monotone circuit with negation only appearing at the input wires. We sketch 
this in Section [2J We finally note that using universal circuits we can realize "Ciphertext-Policy" 
style ABE systems for circuits. 

Our framework of multi- linear maps is that a party can call a group generator Q(l x ,k) to obtain 
a sequence of groups G = (Gi, . . . , Gk) each of large primal order p > 2 A where each comes with a 
canonical generator g = g\,. . . ,g^. Slightly abusing notation, if i+j < k we can compute a bilinear 
map operation on gf E Gi,g^ E Gj as e(gf,g b A = gfl~- These maps can be seen as implementing 
multilinear mapij. It is the need to commit to a certain k value which will require the setup 
algorithm of our construction to commit to a maximum depth £ = k — 1. We will prove security 
under a generalization of the decision BDH assumption that we call the decision ^-multilinear 

assumption. Roughly, it states that given g,g s ,g Cl , . . . ,g Ck it is hard to distinguish T = g k ' 
from a random element of G&. 



Our Techniques. As discussed there is no apparent generalization of the GPSW methods for 
achieving ABE for general circuits. We develop new techniques with a focus on preventing the 
backtracking attacks we described above. Intuitively, we describe our techniques as "move forward 
and shift"; this replaces and subsumes the linear interpolation method of GPSW decryption. In 
particular, our schemes do not rely on any sophisticated linear secret sharing schemes, as was done 
by GPSW. 

Consider a private key for a given monotonicEl circuit / with max depth I that works over a 
group sequence (Gi, . . . , G/%). Each wire w in / is associated by the authority with a random value 
r w E Jj p . A ciphertext for descriptor x will be associated with randomness s E Z p . A user should 
with secret key for / should be able to decrypt if and only if f(x) = 1. 

The decryption algorithm works by computing g^+i f° r each wire w in the circuit that evaluates 
to 1 on input x. If the wire is 0, the decryptor should not be able to obtain this value. Decryption 
works from the bottom up. For each input wire w at depth 1, we compute g^ w using a very similar 
mechanism to GPSW. 

We now turn our attention to OR gates to illustrate how we prevent backtracking attacks. 
Suppose wire w is the output of an OR gate with input wires A(w), B{w) at depth j. Furthermore, 
suppose on a given input x the wire A(w) evaluates to true and B(w) to false so that the decryptor 
has g S *' A(w) ; but not g S ^ B ^ . The private key components associated with wire w are: 

9 , 9 , 9j , 9j 



2 We stress that our techniques do not rely on the groups being of prime order; we only need that certain ran- 
domization properties hold in a statistical sense (which hold perfectly over groups of prime order). Therefore, our 
techniques generalize to other algebraic settings. 

3 We technically consider the existence of a set of bilinear maps {e^j : Gi x Gj —> Gi+j \i,j> 1; i + j < fe}, but 
will often abuse notation for ease of exposition. 

4 Recall that assuming that the circuit is monotonic is without loss of generality. Our method also applies to 
general circuits that involve negations. See Section [2] 
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for random a w ,b w . To move decryption onward the algorithm first computes 
This is the move forward step. Then it computes 

/ s r w -a w -r A ( w )\ s(r w - 

e[9,9 j )=9 j+1 



u r A(w) 



This is the shift step. Multiplying these together gives the desired term g S j~+i- 

Let's examine backtracking attacks in this context. Recall that the attacker's goal would be to 
compute g S ^ B{w) even though wire B(w) is 0, and propagate this forward. From the output term 
and the fourth key component the attacker can actually inverse the shift process on the B side and 
obtain g*"™ rA (™) ; however, since the map e works only in the "forward" direction, it is not possible 
to invert the move forward step and complete the attack. The crux of our security lies in this idea. 
In the main body of this paper we give our formal proof that captures this intuition. 

The AND gate mechanism has a similar shift and move forward structure, but requires both 
inputs for decryption. If this process is applied iteratively, to an output gate w then one obtains 
g*r w _ a final header portion of the key and decryption mechanism is used to obtain the message. 
This portion is similar to prior work. 

The details of our scheme and security proof are below. 



2 Preliminaries 

In this section, we provide some preliminaries. 

2.1 General Circuits vs. Monotone Circuits 

We begin by observing that there is a folklore transformation that uses De Morgan's rule to trans- 
form any general Boolean circuit into an equivalent monotone Boolean circuit, with negation gates 
only allowed at the inputs. For completeness, we sketch the construction here. 

Given a Boolean circuit C, consider the Boolean circuit C that computes the negation of C. 
Note that such a circuit can be generated by simply recursively applying De Morgan's rule to each 
gate of C starting at the output gate. Note that in this circuit C each wire computes the negation 
of the corresponding wire in C. 

Now, we can construct a monotone circuit M by combining C and C as follows: take each 
negation gate in C, eliminate it, and replace the output of the negation gate by the corresponding 
wire in C. Do the same for negation gates in C, using the wires from C. In the end, this will yield 
a monotone circuit M with negation gates remaining only at the input level, as desired. The size 
of M will be no more than twice the original size of C, and the depth of M will be identical to the 
depth of C. The correctness of this transformation follows trivially from De Morgan's rule. 

As a result, we can focus our attention on monotone circuits. Note that inputs to the circuit 
correspond to attributes, and since we are in the "small universe" setting, we can simply introduce 
explicit attributes corresponding to the negation of attributes not present. 
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2.2 Multi-linear maps 



We assume the existence of a group generator Q, which takes as input a security parameter n and a 
positive integer k to indicate the number of allowed pairing operations. Q(l x , k) outputs a sequence 
of groups G = (Gi, . . . , Gfc) each of large prime order p > 2 A . In addition, we let gi be a canonical 
generator of Gj (and is known from the group's description). We let g = g\. 

We assume the existence of a set of bilinear maps {ejj : Gi x Gj — > Gj+j | i, j > 1; ? + j < k}. 
The map ej j satisfies the following relation: 

We observe that one consequence of this is that eij(gi,gj) = gi + j for each valid i,j. 
When the context is obvious, we will sometimes abuse notation drop the subscripts For 
example, we may simply write: 

We define the decision ^-multilinear problem as follows. A challenger runs Q(l x ,k). Then it 
picks random s, c\, . . . , c^. 

5 f >5 fS )9 Cl ) • • • i9 Cfc it is hard to distinguish T = g fc ^ je[1 ' fcl k from a random group element in Gj.. 
The decision fc-multilinear assumption is that no poly-time attacker can win this game with 
non-negligible advantage in A. 



2.3 Circuit Notation 

We now define our notation for circuits that adapts the model and notation of Bellare, Hoang, and 
Rogaway [BHR12] (Section 2.3). For our application we restrict our consideration to certain classes 
of boolean circuits. First, our circuits will have a single output gate. Next, we will consider layered 
circuits. In a layered circuit a gate at depth j will receive both of its inputs from wires at depth 
j — 1. Finally, we will restrict ourselves to monotonic circuits where gates are either AND or OR 
gates of two inputs. El 

Our circuits will be a five tuple / = (n, q, A, B, GateType). We let n be the number of inputs 
and q be the number of gates. We define inputs = {1, . . . , n}, Wires = {I, . . . ,n + q}, and Gates = 
{n + 1, . . . , n + q}. The wire n + q is the designated output wire. A : Gates — > Wires/outputwire 
is a function where A(w) identifies tu's first incoming wire and B : Gates — > Wires/outputwire is a 
function where B(w) identifies w's second incoming wire. Finally, GateType : Gates — > {AND, OR} 
is a function that identifies a gate as either an AND or OR gate. 

We require that w > B{w) > A(w). We also define a function depth(u>) where if w G inputs 
depth(u;) = 1 and in general depth(u>) of wire w is equal to the shortest path to an input wire 
plus 1. Since our circuit is layered we require that for all w € Gates that if depth(w) = j then 
depth( J 4(w)) = depth(5(io)) = j — 1. 

We will abuse notation and let f(x) be the evaluation of the circuit / on input x £ {0, l} n . In 
addition, we let f w {x) be the value of wire w of the circuit on input x. 

5 These restrictions are mostly useful for exposition and do not impact functionality. General circuits can be built 
from non-monotonic circuits. In addition, given a circuit an equivalent layered exists that is larger by at most a 
polynomial factor. 



6 



3 Our Construction 



We now describe our construction. Our construction is of the Key-Policy form where a key gen- 
eration algorithm takes in the description of a circuit / and encryption takes in an input x and 
message M. A user with secret key for / can decrypt if and only if f(x) = 1. The system is of the 
"public index" variety in that only the message M is hidden while x can be efficiently discovered 
from the ciphertext. 

The setup algorithm will take as inputs a maximum depth £ of all the circuits as well as the 
input size n for all ciphertexts. All circuits / in our system will be of depth £ (have the outputgate 
at depth £) and be layered as discussed in Section \2. 31 Using layered circuits and having all circuits 
be of the same depth is primarily for ease of exposition, as we believe that our construction could 
directly be adapted to the general case. The fact that setup defines a maximum depth £ is more 
fundamental as the algorithm defines a k = £ + 1 group sequence a k pairings. 

Setup(l A , n, £) The setup algorithm takes as input, a security parameter A, the maximum depth 
£ of a circuit, and the number of boolean inputs n. 

It then runs k = £ + 1) and of groups G = (Gi, . . . , G&) of prime order p, with canonical 
generators gi, . . . y g^. We let g = g\. Next, it chooses random a £ Z p and hi,...,hj> £ Gi. 

The public parameters, PP, consist of the group sequence description plus: 

9k i hi,..., h( 

The master secret key MSK is (gk-i) a - 

Encrypt(PP,x £ {0, l} n ,M £ {0, 1}) The encryption algorithm takes in the public parameters, 
an descriptor input x £ {0, l} n , and a message bit M £ {0, 1}. 

The encryption algorithm chooses a random s. If M = it sets Cm to be a random group 
element in G&; otherwise it lets Cm = (9kY '■ Next, let S be the set such of i such that X{ = 1. 

The ciphertext is created as 

CT = (C M , g s , Vi e S C t = hf) 

KeyGen(MSK, / = (n, q, A, B, GateType)) The algorithm takes in the master secret key and a 
description / of a circuit. Recall, that the circuit has n + q wires with n input wires, q gates and 
the wire n + q designated as the output wire. 

The key generation algorithm chooses random n, . . . , r n+q £ Z p , where we think of randomness 
r w as being associated with wire w. The algorithm produces a "header" component 

k h = (g k -iT~ rn+ « 

Next, the algorithm generates key components for every wire w. The structure of the key 
components depends upon if w is an input wire, an OR gate, or an AND gate. We describe how it 
generates components for each case. 

• Input wire 

By our convention if it; £ then it corresponds to the w-ih input. The key generation 

algorithm chooses random z w €.Z p . 
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The key components are: 

K 1 — ri r ' w h Zw K o — n~ Zw 

• OR gate 

Suppose that wire w £ Gates and that GateType(w) = OR. In addition, let j = depth(w) 
be the depth of wire w. The algorithm will choose random (x w ,b w (E Zp. Then the algorithm 
creates key components: 

K w ,\ = g w , K Wt2 = g w , K Wt3 = g j , K wA = g- 

• AND gate 

Suppose that wire w <G Gates and that GateType(u>) = AND. In addition, let j = depth(w) 
be the depth of wire w. The algorithm will choose random a w ,b w G Zp. 

K w , 1 = g a -, K w , 2 = g b -, K w , 3 = g]^^ ™ 

We will sometimes refer to the K w ^, K w ^ of the AND and OR gates as the "shift" components. 
This terminology will take on more meaning when we see how they are used during decryption. 

The secret key SK output consists of the description of /, the header component Kh and the 
key components for each wire w . 

Decrypt (SK, CT) Suppose that we are evaluating decryption for a secret key associated with 
a circuit / = (n, q, A, B, GateType) and a cipherext with input x. We will be able to decrypt if 

m = i. 

We begin by observing that the goal of decryption should be to compute g^ s such that we can 
test if this is equal to Cm- The algorithm begins with a header computation and lets First, there is 
a header computation where we compute E' = e{Ku),g s ) = e(g c ^_^ n+q , g s ) = 5 , fc S 5 , fc rn+ ' J S Our goal 
is now reduced to computing g V k n+q S ■ 

Next, we will evaluate the circuit from the bottom up. Consider wire w at depth j; if f w (x) = 1 
then, our algorithm will compute E w = (gj + i) SVw . (If f w (x) = nothing needs to be computed for 
that wire.) Our decryption algorithm proceeds iteratively starting with computing E\ and proceeds 
in order to finally compute E n+q . Computing these values in order ensures that the computation 
on a depth j — 1 wire (that evaluates to 1) will be defined before computing for a depth j wire. We 
show how to compute E w for all w where f w (x) = 1, again breaking the cases according to whether 
the wire is an input, AND or OR gate. 

• Input wire 

By our convention if w £ then it corresponds to the w-th. input. Suppose that x w = 

fw(x) = 1. The algorithm computes: 

E w = e(K W;1 ,g s ) • e(K W)2 ,C w ) = e{g T ™h z ™,g s ) ■ e{g~ z ™ ,h s J = g s 2 Tw 

We observe that this mechanism is similar to many existing ABE schemes. 

• OR gate 

Consider a wire w £ Gates and that GateType(ui) = OR. In addition, let j = depth(ty) be 
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the depth of wire w. Suppose that f w (x) = 1. If fA(w)( x ) = 1 (the first input evaluated to 1) 
then we compute: 

E w = e(E A[w) ,K wA ) ■ e{K w ^g s ) = e(^ AW ,^) ■ eig^^ , g s ) = (g j+1 ) sr - 

Alternatively, if fA(w)( x ) = 0, but fB( w )i x ) = 1> then we compute: 

E w = e(E B{w) ,K W;2 ) ■ e(K wAl g s ) = e(g? BM , g b ™) ■ eig^^ ,g") = {g 3+1 ) sr - 

Let's exam this mechanism for the case where the first input is 1 (fA(w)( x ) = !)• I n this case 
the algorithm "moves" the value E A r w \ from group Gj to group Gj + i when pairing it with 
K W) \. It then multiplies it by e(K Wj s, g s ) which "shifts" that result to E w . 

Suppose that fA(w)( x ) = 1j but fB( w )i x ) = 0. A critical feature of the mechanism is that 
an attacker cannot perform a "backtracking" attack to compute E B / W y The reason is that 
the pairing operation cannot be reverse to go from group Gj+\ to group Gj. If this were not 
the case, it would be debilitating for security as gate B{w) might have fanout greater than 1. 
This type of backtracking attacking is why existing ABE constructions are limited to circuits 
with fanout of 1. 

• AND gate 

Consider a wire w <G Gates and that GateType(w) = AND. In addition, let j = depth(w) 
be the depth of wire w. Suppose that f w (x) = 1. Then f'A(w)( x ) = fB(w)( x ) = 1 an d we 
compute: 

E w = e(E A ( w ),K Wt i) ■ e(E B ( w ),K w p) ■ e(K Wt3 ,g s ) 
= e( g ; rA(w \g a -) ■ e( g ; rB( -\g b -) ■ e( ^-«— W~ c — = {g . +1 yr w 



If the f(x) = f n+q (x) = 1, then the algorithm will compute E n+q = g r k n+q s ■ It finally computes 
E' ■ E n+q = g^ s and tests if this equals Cm, outputting M = 1 if so and M = otherwise. 
Correctness holds with high probability. 

A Few Remarks We end this section with a few remarks. First, the encryption algorithm takes 
as input a single bit message. In this setting we could imagine encoding a longer message by 
XORing it with the hash of g^ s . However, we used bit encryption with a testability function to 
better match the lattice translation of the next section. 

Our OR and AND key components respectively have one and two "shift" components. It is 
conceivable to have a construction with one shift component for the OR and none for the AND. 
However, we designed it this way since it made the exposition of our proof (in particular the 
distribution of private keys) easier. 

Finally, our construction uses a layered circuit, where a wire at depth j gets its inputs from 
depth f = j — 1. We could imagine a small modification to our construction which allowed f to be 
of any depth less than j. Suppose this were the case for the first input. Then instead of K w ^ = g\ w 
we might more generally let K Wt i = (gj_ji) aw . However, we stick to describing and proving the 
layered case for simplicity. 
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4 Proof of Security 



We prove (selective) security in the security model given by GPSW [GPSW06j, where the input 
access structures are monotonic circuits. For a circuit of max size k — 1 we prove security under 
the decision /c-multilinear assumption. 

We show that if there exist a poly-time attacker A on our ABE system for circuits of depth £ 
and inputs of length n in the selective security game then we can construct a poly-time algorithm 
on the decision I + 1-multilinear assumption with non-neglgibile advantage. We describe how B 
interacts with A. 

Init B first receives the I + 1-multilinear problem where it is given the group description G = 

(Gi,...,Gfc) and an problem instance g, g s , g Cl , . . . , g Ck ,T. T is either g.^ 6 ' 1 '^ j or a random 
group element in G&. (Note we slightly changed the variable names in the problem instance to 
better suit our proof.) 

Next, the attacker declares the challenge input x* £ {0, l} n . 



Setup B chooses random yi, . . . ,y n 6 7L p . For i 6 [1, n] set 

h = l> if x* = 1 

1 \ g y^ ifx* = o 

Remark. Note that over Z p , the above choices of hi are distributed identically with the "real life" 
distribution. More generally, what we need is that g Vi is statistically close to, or indistinguishable 
from, g m+Cl . 

Next, B sets <?J?= ^ + ^ l6[1,fe ' l ; where £ is chosen randomly. It computes this using g ci , . . . ,g Ck 
from the assumption, by means of the iterated use of the pairing function. 

Remark. Here we need that ^ + ^ l€[1 ' fel 1 i s statistically close to, or indistinguishable from, gt. 
This holds perfectly over Z p . 

Challenge Ciphertext Let S* C [l,n] be the set of input indices where x* = 1. B creates the 
challenge ciphertext as: 

CT = (T, g s , VjGS* a = (g s )yi) 

If T = g b k n ^ aCk then this is an encryption of 1; otherwise if T was chosen random in G& 
then w.h.p. it is an encryption of 0. 



KeyGen Phase Both key generation phases are executed in the same manner by the reduc- 
tion algorithm. Therefore, we describe them once here. The attacker will give a circuit / = 
(n, q, A, B, GateType) to the reduction algorithm such that f{x*) = 0. 

We can think of the proof as having some invariant properties on the depth of the gate we are 
looking at. Consider a gate w at depth j and the simulators viewpoint (symbolically) of r w . If 
fw(x*) = 0, then the simulator will view r w as the term c\ ■ C2 • • • Cj+i plus some additional known 
randomization terms. If f w (x*) = 1, then the simulator will view r w as the plus some additional 
known randomization terms. If we can keep this property intact for simulating the keys up the 
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circuit, the simulator will view r n+q as C\ ■ C2 ■ ■ ■ eg . This will allow for it to simulate the header 
component Kh by cancellation. 

We describe how to create the key components for each wire w. Again, we organize key com- 
ponent creation into input wires, OR gates, and AND gates. 

• Input wire 

Suppose w G [1, n] and is therefore by convention an input wire. 

If (x*) w = 1 then we choose r w and z w at random (as is done honestly). The key components 
are: 

(K wA =g r ™h z ™, K w , 2 = g Zw ) 

If (x*) w = then we let r w = c\C2 + rji and z w = — C2 + fj, where rji and Vi are randomly 
chosen elements. The key components are: 

(K w>1 = g ClC2+,lw h w C2+Uw , K w>2 = g- C2+u ™) = (^ g -^+v w +(y w +ci)^ ^ g -c 2 +u w ^ 

Note a cancellation occurred that allowed for the first term to be computed. Observe that in 
both of these values are simulated consistent with our invariant. 

Remark. Here we need that g-^s/^+^+fe^+ci) 1 ^ i s appropriately close to a randomly chosen 
element. This holds perfectly over Z p . 

• OR gate 

Now we consider a wire w £ Gates and that GateType(u;) = OR. In addition, let j = 
depth(w) be the depth of wire w. If f w (x*) = 1, then we simply set a w ,b w ,r w at random to 
values chosen by B. Then the algorithm creates key components: 

Kw,i = 9 , Kw,2 = g w , K Wt3 = g j , K wA = g- 

If f w (x*) = 0, then we set a w = Cj + \ + ip w and b w = Cj + \ + <p w and r w = c± ■ C2 ■ ■ ■ Cj+i + rj w , 
where tp w ,(j) w ,r] w are chosen randomly. Then the algorithm creates key components: 

K 1 — a c j+i+^™ cj + i+ip w 



Vw-Cj +1 T) A i w) -ip w (ci---Cj+T) A i w) ) Vw- c j+lVB( w )-4>-w(ci—Cj+r) B ( w )) 
K w,3 = gj , J^w,4 = gj 



B is able to create the last two key components due to a cancellation. Since both the A{w) 
and B{w) gates evaluated to we had r^ w ) = c\ ■ ■ ■ Cj + ?L4(mj) an d similarly for r B ^ w y Note 
that computing Cj is possible using the multi-linear maps. 

Remark. Here we need that g^ w ^ w( - Cl "' c ^ j s appropriately close to a randomly chosen 
element (the given terms dominate the others). This holds perfectly over Z p . 

AND gate 

Now we consider a wire w G Gates and that GateType(w) = OR. In addition, let j = 
depth(w) be the depth of wire w. 

If f w (x*) = 1, then we simply set a w ,b w ,r w at random to values known by B. Then the 
algorithm creates key components: 

K wA = g a -, K Wt2 = g b ™, K w , 3 = j;—^)- 1 -^) 
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If f w (x*) = and /a(w){ x *) = 0, then B sets a w = Cj + i+ip w , b w = (f> w and r w = ci-c 2 • • • Cj+i + 
r] w , where ipw , <ftw , Vw are chosen randomly. Then the algorithm creates key components: 

U _ „c j+1 +rp w v _ J>w re _ Vw-ifrwcvcj- (c j+ i+il> w )riA( w )-<l>w(rB {iv )) 

-^10,1 — y ) -"-tu,2 — y ) - n -u>,3 — Uj 

B can create the last component due to cancellation. Since the A(w) gate evaluated to 0, we 
have rxjw) = ci -C2 • • • Cj + Note that is always computable regardless of whether 

fA(w)( x *) evaluated to or 1, since y^ 1 Cj is always computable using the multilinear maps. 

The case where fB(w)( x *) = an d Ia(w)( x *) = 1 is performed in a symmetric to what is 
above, with the roles of a w and b w reversed. 

Remark. Here we need that y r - w ^ w+ ^ ( Cl c ^ [ s appropriately close to a randomly chosen 
element (the given terms dominate the others). This holds perfectly over Z p . 

For the output gate we chose r\ w at random. Thus, at the end we have r n+q = Y\ ie <i fc i Q + rj n+q 
for the output gate. This gives us a final cancellation in computing the "header" component of the 
key as K H = (y k -i) a ~ rn+q = (yk-i)^ Vw ■ 

Guess B receives back the guess M' € {0, 1} of the message from A. If M' = 1 it guesses that T 
is a tuple; otherwise, it guesses that it is random. 
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